What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2017-03-20 13:00:00 | Interview with Daniel Cid, founder of OSSEC (lien direct) |
Daniel Cid
Daniel Cid is the founder and CTO for Sucuri. He’s also on the AlienVault Technology Advisory Board and is the founder of OSSEC HIDS. I interviewed him to get his thoughts on website security, and the security of content management systems (CMS).
Q: What are the most serious challenges and trends you are seeing with website security?
At a high level, the most popular CMS platforms (eg. WordPress, Magento, Drupal, etc) and frameworks are getting a lot better in terms of security, whether it’s a secure by default configurations or employing more appropriate security coding and best practices. We rarely see major issues in the core of these applications, and even when they do have issues there is a system in place that helps streamline the process of patching environments at scale. The platform that is leading the charge on this is WordPress, and a perfect example of this system is best illustrated with the vulnerability we disclosed in the new REST API. Via their auto-update feature they were able to patch very quickly and effectively millions of sites in a one-week time period.
As impactful as these change are however, they aren't& stopping the attacks and the compromises. Simply put, it’s not because platform security is the problem, but rather website security is much more complex than code or tools, and needs the people and processes behind it to remain secure.
Consider WordPress, for example. They have their famous 5-minute install. What a great message, and it has been huge in achieving their broad user adoption. Note, it actually takes a lot more than 5 minutes to secure and harden the environment, let it alone configure it to be fully functional to your liking. That isn’t the message a webmaster wants to receive, and this becomes especially challenging when you take into consideration the technical aptitude of most of today’s webmasters - which is very low.
So I think the main challenge I see right now is that there needs to be a level of education to the people deploying websites. There are additional steps that go beyond the basic installation and configuration requirements, and it includes investing some energy into security. These steps need to be more visible, actionable and easier to adopt.
Q: Can just buying products really fix website security?
No. Technology alone will never be the solution; just buying a product won’t work at any level of security.
Note that we do sell a cloud-based security software (a WAF for websites), but we work very hard to have a dialog with our customers where we try to educate and communicate the importance of people, process and technology in their security posture.
Q: What do you think about OWASP and other organizations that are focused on web application security?
I think they are great. They are a powerful resource for developers and security professionals to be more aware of web application security issues.
Q: We hear a lot of fear, uncertainty and doubt (FUD) around WordPress security. What helpful advice could you give our readers who are using Wordpress currently?
The problem in the WordPress security space is that the majority of users are not very technical, and there is also a lot of misinformation and disinformation being spre |
Guideline | APT 19 | |
 |
2016-07-01 04:22:19 | APT and why I don\'t like the term, (Fri, Jul 1st) (lien direct) | IntroductionIn May 2015, I wrote a dairy describing a SOC analyst pyramid. It describes the various types of activity SOC analysts encounter in their daily work [1]. In the comments, someone stated I shouldve included the term advanced persistent threat (APT) in the pyramid. But APT is supposed to describe an adversary, not the activity.As far as Im concerned, the media and security vendors have turned APT into a marketing buzzword. I do not like the term APT at all.With that in mind, this diary looks at the origin of the term APT. It also presents a case for and and a case against using the term.Origin of APTIn 2006 members of the United States Air Force (USAF) came up with APT as an unclassified term to refer to certain threat actors in public [2].Background on the term can be found in the July/August 2010 issue of Information Security magazine. It has a feature article titled, What APT is (And What it Isnt) written by Richard Bejtlich." />Shown above: An image showing the table of contents entry for Bejtlichs article.According to Bejtlich, If the USAF wanted to talk about a certain intrusion set with uncleared personnel, they could not use the classified threat actor name. Therefore, the USAF developed the term APT as an unclassified moniker (page 21). Based on later reports about cyber espionage, I believe APT was originally used for state-sponsored threat actors like those in China [3].A case for using APTBejtlichs article has specific guidelines on what constitutes an APT. He also discussed it on his blog [4]. Some key points follow:Advanced means the adversary can operate in the full spectrum of computer intrusion.Persistent means the adversary is formally tasked to accomplish a mission.Threat refers to a group that is organized, funded, and motivated.If you follow these guidelines, using APT to describe a particular adversary is well-justified.Mandiants report about a Chinese state-sponsored group called APT1 is a good example [3]. In my opinion, FireEye and Mandiant have done a decent job of using APT in their reporting.A case against APTThe terms advanced and persistent and even threat are subjective. This is especially true for leadership waiting on the results of an investigation.Usually, when Ive talked with people about APT, theyre often referring to a targeted attack. Some people I know have also used APT to describe an actor behind a successful attack, but it wasnt something I considered targeted. We always think our organization is special, so if were compromised, it must be an APT! If your IT infrastructure has any sort of vulnerability (because people are trained to balance risk and profit), youre as likely be compromised by a common cyber criminal as you are by an APT.Bejtlich states that after Googles Operation Aurora breach in 2010, wide-spread attention was brought to APT. At that point, many vendors saw APT as a marketing angle to rejuvenate a slump in security spending [2]." />Shown above: An example of media reporting on APT.A good example of bad reporting is the Santa-APT blog post from CloudSek in December 2015. however, other sources have reported the info [ | Guideline | APT 1 |
To see everything:
Our RSS (filtrered)
